DOCSLIB.ORG

A Malware Analysis and Artifact Capture Tool

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Malware Analysis and Artifact Capture Tool Dakota State University Beadle Scholar Masters Theses & Doctoral Dissertations Spring 3-2019 A Malware Analysis and Artifact Capture Tool Dallas Wright Dakota State University Follow this and additional works at: https://scholar.dsu.edu/theses Part of the Information Security Commons, and the Systems Architecture Commons Recommended Citation Wright, Dallas, "A Malware Analysis and Artifact Capture Tool" (2019). Masters Theses & Doctoral Dissertations. 327. https://scholar.dsu.edu/theses/327 This Dissertation is brought to you for free and open access by Beadle Scholar. It has been accepted for inclusion in Masters Theses & Doctoral Dissertations by an authorized administrator of Beadle Scholar. For more information, please contact [email protected]. A MALWARE ANALYSIS AND ARTIFACT CAPTURE TOOL A dissertation submitted to Dakota State University in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Cyber Operations March 2019 By Dallas Wright Dissertation Committee: Dr. Wayne Pauli Dr. Josh Stroschein Dr. Jun Liu ii iii Abstract Malware authors attempt to obfuscate and hide their execution objectives in their program’s static and dynamic states. This paper provides a novel approach to aid analysis by introducing a malware analysis tool which is quick to set up and use with respect to other existing tools. The tool allows for the intercepting and capturing of malware artifacts while providing dynamic control of process flow. Capturing malware artifacts allows an analyst to more quickly and comprehensively understand malware behavior and obfuscation techniques and doing so interactively allows multiple code paths to be explored. The faster that malware can be analyzed the quicker the systems and data compromised by it can be determined and its infection stopped. This research proposes an instantiation of an interactive malware analysis and artifact capture tool. iv Declaration I hereby certify that this dissertation constitutes my own product, that where the language of others is set forth, quotation marks so indicate, and that appropriate credit is given where I have used the language, ideas, expressions or writings of another. I declare that the dissertation describes original work that has not previously been presented for the award of any other degree of any institution. Signed, _____________________________ Dallas Wright v Table of Contents A MALWARE ANALYSIS AND ARTIFACT CAPTURE TOOL ............................................... i Abstract .......................................................................................................................................... iii Declaration ..................................................................................................................................... iv Table of Contents ............................................................................................................................ v List of Tables ............................................................................................................................... viii List of Figures ................................................................................................................................ ix CHAPTER ONE ............................................................................................................................. 1 Introduction ................................................................................................................................. 1 Problem Relevance ..................................................................................................................... 2 Problem Statement ...................................................................................................................... 3 Purpose Statement ....................................................................................................................... 3 Primary Research Questions ....................................................................................................... 4 Hypotheses .................................................................................................................................. 5 Theoretical Framework ............................................................................................................... 5 Research Design.......................................................................................................................... 6 Introduction Summary ................................................................................................................ 7 CHAPTER TWO ............................................................................................................................ 8 Literary Review .......................................................................................................................... 8 Review of Literature ................................................................................................................... 8 Literary Review Summary ........................................................................................................ 14 CHAPTER THREE ...................................................................................................................... 16 Application Design and Specifications ..................................................................................... 16 vi Research Approach ................................................................................................................... 16 Assumptions and Limitations ................................................................................................... 17 Malware Samples ...................................................................................................................... 18 Iterative Development ............................................................................................................... 19 Data Analysis ............................................................................................................................ 20 Application Overview ............................................................................................................... 24 Technical Specifications ........................................................................................................... 31 Major Functional Requirements ............................................................................................... 34 Application Design Summary ................................................................................................... 43 CHAPTER FOUR ......................................................................................................................... 44 MACT Evaluation ..................................................................................................................... 44 MACT Example Use................................................................................................................. 49 Preliminary Functional Testing................................................................................................. 53 Testing Process ......................................................................................................................... 54 Bypassing Anti-analysis Techniques with MACT ................................................................... 56 MACT Testing .......................................................................................................................... 59 MACT Malware Evaluation Case Studies ................................................................................ 60 Sample 1 – PUA .................................................................................................................... 60 Sample 2 - Trojan .................................................................................................................. 64 Sample 3 - PUA ..................................................................................................................... 68 Sample 4 - Worm ................................................................................................................... 74 Sample 5 - Ransomware ........................................................................................................ 82 Sample 6 - PUA ..................................................................................................................... 89 Sample 7 - Backdoor ............................................................................................................. 96 Sample 8 - Trojan ................................................................................................................ 101 vii Sample 9 - Virus .................................................................................................................. 104 Sample 10 - Worm ............................................................................................................... 111 Testing Summary .................................................................................................................... 114 CHAPTER FIVE ........................................................................................................................ 118 Conclusions and Recommendations ....................................................................................... 118 Overview ................................................................................................................................
Load more

Recommended publications
  • Scala Infochannel Player Setup Guide
    SETUP GUIDE P/N: D40E04-01 Copyright © 1993-2002 Scala, Inc. All rights reserved. No part of this publication, nor any parts of this package, may be copied or distributed, transmitted, transcribed, recorded, photocopied, stored in a retrieval system, or translated into any human or computer language, in any form or by any means, electronic, mechanical, magnetic, manual, or otherwise, or disclosed to third parties without the prior written permission of Scala Incorporated. TRADEMARKS Scala, the exclamation point logo, and InfoChannel are registered trademarks of Scala, Inc. All other trademarks or registered trademarks are the sole property of their respective companies. The following are trademarks or registered trademarks of the companies listed, in the United States and other countries: Microsoft, MS-DOS, Windows, Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, DirectX, DirectDraw, DirectSound, ActiveX, ActiveMovie, Internet Explorer, Outlook Express: Microsoft Corporation IBM, IBM-PC: International Business Machines Corporation Intel, Pentium, Indeo: Intel Corporation Adobe, the Adobe logo, Adobe Type Manager, Acrobat, ATM, PostScript: Adobe Systems Incorporated TrueType, QuickTime, Macintosh: Apple Computer, Incorporated Agfa: Agfa-Gevaert AG, Agfa Division, Bayer Corporation “Segoe” is a trademark of Agfa Monotype Corporation. “Flash” and “Folio” are trademarks of Bauer Types S.A. Some parts are derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm. JPEG file handling is based in part on the work of the Independent JPEG Group. Lexsaurus Speller Technology Copyright © 1992, 1997 by Lexsaurus Software Inc. All rights reserved. TIFF-LZW and/or GIF-LZW: Licensed under Unisys Corporation US Patent No. 4,558,302; End-User use restricted to use on only a single personal computer or workstation which is not used as a server.
    [Show full text]
  • Advance Dynamic Malware Analysis Using Api Hooking
    www.ijecs.in International Journal Of Engineering And Computer Science ISSN:2319-7242 Volume – 5 Issue -03 March, 2016 Page No. 16038-16040 Advance Dynamic Malware Analysis Using Api Hooking Ajay Kumar , Shubham Goyal Department of computer science Shivaji College, University of Delhi, Delhi, India [email protected] [email protected] Abstract— As in real world, in virtual world also there are type of Analysis is ineffective against many sophisticated people who want to take advantage of you by exploiting you software. Advanced static analysis consists of reverse- whether it would be your money, your status or your personal engineering the malware’s internals by loading the executable information etc. MALWARE helps these people into a disassembler and looking at the program instructions in accomplishing their goals. The security of modern computer order to discover what the program does. Advanced static systems depends on the ability by the users to keep software, analysis tells you exactly what the program does. OS and antivirus products up-to-date. To protect legitimate users from these threats, I made a tool B. Dynamic Malware Analysis (ADVANCE DYNAMIC MALWARE ANAYSIS USING API This is done by watching and monitoring the behavior of the HOOKING) that will inform you about every task that malware while running on the host. Virtual machines and software (malware) is doing over your machine at run-time Sandboxes are extensively used for this type of analysis. The Index Terms— API Hooking, Hooking, DLL injection, Detour malware is debugged while running using a debugger to watch the behavior of the malware step by step while its instructions are being processed by the processor and their live effects on I.
    [Show full text]
  • Getting Started with Windows Scripting
    Getting Started with Windows Scripting art I of the PowerShell, VBScript, and JScript Bible intro- IN THIS PART duces you to the powerful administrative tool that is Windows scripting. You’ll get an overview of Windows Chapter 1 P Introducing Windows Scripting scripting and its potential, and an introduction to three tech- nologies you can use for Windows scripting: VBScript, JScript, Chapter 2 and PowerShell. VBScript Essentials Chapter 3 JScript Essentials Chapter 4 PowerShell Fundamentals COPYRIGHTED MATERIAL 886804c01.indd6804c01.indd 1 11/21/09/21/09 11:16:17:16:17 PPMM 86804c01.indd 2 1/21/09 1:16:18 PM Introducing Windows Scripting indows scripting gives everyday users and administrators the ability to automate repetitive tasks, complete activities while IN THIS CHAPTER away from the computer, and perform many other time-saving W Introducing Windows scripting activities. Windows scripting accomplishes all of this by enabling you to create tools to automate tasks that would otherwise be handled manually, Why script Windows? such as creating user accounts, generating log files, managing print queues, or examining system information. By eliminating manual processes, you Getting to know can double, triple, or even quadruple your productivity and become more Windows Script Host effective and efficient at your job. Best of all, scripts are easy to create and Understanding the Windows you can rapidly develop prototypes of applications, procedures, and utili- scripting architecture ties; and then enhance these prototypes to get exactly what you need, or just throw them away and begin again. This ease of use gives you the flex- ibility to create the kinds of tools you need without a lot of fuss.
    [Show full text]
  • Case Study: Internet Explorer 1994..1997
    Case Study: Internet Explorer 1994..1997 Ben Slivka General Manager Windows UI [email protected] Internet Explorer Chronology 8/94 IE effort begins 12/94 License Spyglass Mosaic source code 7/95 IE 1.0 ships as Windows 95 feature 11/95 IE 2.0 ships 3/96 MS Professional Developer’s Conference AOL deal, Java license announced 8/96 IE 3.0 ships, wins all but PC Mag review 9/97 IE 4.0 ships, wins all the reviews IE Feature Chronology IE 1.0 (7/14/95) IE 2.0 (11/17/95) HTML 2.0 HTML Tables, other NS enhancements HTML <font face=> Cell background colors & images Progressive Rendering HTTP cookies (arthurbi) Windows Integration SSL Start.Run HTML (MS enhancements) Internet Shortcuts <marquee> Password Caching background sounds Auto Connect, in-line AVIs Disconnect Active VRML 1.0 Navigator parity MS innovation Feature Chronology - continued IE 3.0 (8/12/96) IE 3.0 - continued... IE 4.0 (9/12/97) Java Accessibility Dynamic HTML (W3C) HTML Frames PICS (W3C) Data Binding Floating frames HTML CSS (W3C) 2D positioning Componentized HTML <object> (W3C) Java JDK 1.1 ActiveX Scripting ActiveX Controls Explorer Bars JavaScript Code Download Active Setup VBScript Code Signing Active Channels MSHTML, SHDOCVW IEAK (corporations) CDF (XML) WININET, URLMON Internet Setup Wizard Security Zones DocObj hosting Referral Server Windows Integration Single Explorer ActiveDesktop™ Navigator parity MS innovation Quick Launch, … Wins for IE • Quality • CoolBar, Explorer Bars • Componetization • Great Mail/News Client • ActiveX Controls – Outlook Express – vs. Nav plug-ins
    [Show full text]
  • A Malware Analysis and Artifact Capture Tool Dallas Wright Dakota State University
    Dakota State University Beadle Scholar Masters Theses & Doctoral Dissertations Spring 3-2019 A Malware Analysis and Artifact Capture Tool Dallas Wright Dakota State University Follow this and additional works at: https://scholar.dsu.edu/theses Part of the Information Security Commons, and the Systems Architecture Commons Recommended Citation Wright, Dallas, "A Malware Analysis and Artifact Capture Tool" (2019). Masters Theses & Doctoral Dissertations. 327. https://scholar.dsu.edu/theses/327 This Dissertation is brought to you for free and open access by Beadle Scholar. It has been accepted for inclusion in Masters Theses & Doctoral Dissertations by an authorized administrator of Beadle Scholar. For more information, please contact [email protected]. A MALWARE ANALYSIS AND ARTIFACT CAPTURE TOOL A dissertation submitted to Dakota State University in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Cyber Operations March 2019 By Dallas Wright Dissertation Committee: Dr. Wayne Pauli Dr. Josh Stroschein Dr. Jun Liu ii iii Abstract Malware authors attempt to obfuscate and hide their execution objectives in their program’s static and dynamic states. This paper provides a novel approach to aid analysis by introducing a malware analysis tool which is quick to set up and use with respect to other existing tools. The tool allows for the intercepting and capturing of malware artifacts while providing dynamic control of process flow. Capturing malware artifacts allows an analyst to more quickly and comprehensively understand malware behavior and obfuscation techniques and doing so interactively allows multiple code paths to be explored. The faster that malware can be analyzed the quicker the systems and data compromised by it can be determined and its infection stopped.
    [Show full text]
  • Windows® Scripting Secrets®
    4684-8 FM.f.qc 3/3/00 1:06 PM Page i ® WindowsSecrets® Scripting 4684-8 FM.f.qc 3/3/00 1:06 PM Page ii 4684-8 FM.f.qc 3/3/00 1:06 PM Page iii ® WindowsSecrets® Scripting Tobias Weltner Windows® Scripting Secrets® IDG Books Worldwide, Inc. An International Data Group Company Foster City, CA ♦ Chicago, IL ♦ Indianapolis, IN ♦ New York, NY 4684-8 FM.f.qc 3/3/00 1:06 PM Page iv Published by department at 800-762-2974. For reseller information, IDG Books Worldwide, Inc. including discounts and premium sales, please call our An International Data Group Company Reseller Customer Service department at 800-434-3422. 919 E. Hillsdale Blvd., Suite 400 For information on where to purchase IDG Books Foster City, CA 94404 Worldwide’s books outside the U.S., please contact our www.idgbooks.com (IDG Books Worldwide Web site) International Sales department at 317-596-5530 or fax Copyright © 2000 IDG Books Worldwide, Inc. All rights 317-572-4002. reserved. No part of this book, including interior design, For consumer information on foreign language cover design, and icons, may be reproduced or transmitted translations, please contact our Customer Service in any form, by any means (electronic, photocopying, department at 800-434-3422, fax 317-572-4002, or e-mail recording, or otherwise) without the prior written [email protected]. permission of the publisher. For information on licensing foreign or domestic rights, ISBN: 0-7645-4684-8 please phone +1-650-653-7098. Printed in the United States of America For sales inquiries and special prices for bulk quantities, 10 9 8 7 6 5 4 3 2 1 please contact our Order Services department at 1B/RT/QU/QQ/FC 800-434-3422 or write to the address above.
    [Show full text]
  • Practical Malware Analysis
    PRAISE FOR PRACTICAL MALWARE ANALYSIS Digital Forensics Book of the Year, FORENSIC 4CAST AWARDS 2013 “A hands-on introduction to malware analysis. I’d recommend it to anyone who wants to dissect Windows malware.” —Ilfak Guilfanov, CREATOR OF IDA PRO “The book every malware analyst should keep handy.” —Richard Bejtlich, CSO OF MANDIANT & FOUNDER OF TAOSECURITY “This book does exactly what it promises on the cover; it’s crammed with detail and has an intensely practical approach, but it’s well organised enough that you can keep it around as handy reference.” —Mary Branscombe, ZDNET “If you’re starting out in malware analysis, or if you are are coming to analysis from another discipline, I’d recommend having a nose.” —Paul Baccas, NAKED SECURITY FROM SOPHOS “An excellent crash course in malware analysis.” —Dino Dai Zovi, INDEPENDENT SECURITY CONSULTANT “The most comprehensive guide to analysis of malware, offering detailed coverage of all the essential skills required to understand the specific challenges presented by modern malware.” —Chris Eagle, SENIOR LECTURER OF COMPUTER SCIENCE AT THE NAVAL POSTGRADUATE SCHOOL “A great introduction to malware analysis. All chapters contain detailed technical explanations and hands-on lab exercises to get you immediate exposure to real malware.” —Sebastian Porst, GOOGLE SOFTWARE ENGINEER “Brings reverse-engineering to readers of all skill levels. Technically rich and accessible, the labs will lead you to a deeper understanding of the art and science of reverse-engineering. I strongly believe this will become the defacto text for learning malware analysis in the future.” —Danny Quist, PHD, FOUNDER OF OFFENSIVE COMPUTING “An awesome book .
    [Show full text]
  • IBM Intelligent Video Analytics: VMS Extension for Cisco VSM 7
    IBM Intelligent Video Analytics Version 1.6.0.0 VMS extension for Cisco VSM 7 Installation and integration enablement guide IBM Intelligent Video Analytics Version 1.6.0.0 VMS extension for Cisco VSM 7 Installation and integration enablement guide Note Before using this information and the product it supports, read the information in “Notices, copyright, terms, and trademarks” on page 13. Contents Integrating IBM Intelligent Video Running the Findcameras.exe tool......10 Analytics with Cisco VSM 7 ......1 Running the SampleGrabber tool ......11 CiscoCamDiscovery.html Files required for the integration........1 Running the tool . 11 GraphEdit Installation overview ...........2 Running to troubleshoot issues . 12 Prerequisite steps .............2 MILS client preparation configuration .....3 Notices, copyright, terms, and Installing the Cisco VSM 7 DirectShow Filter on the trademarks .............13 SSE server ...............4 Notices ................13 Installing the Cisco VSM 7 VMS extension on MILS . 6 Copyright notice.............15 Installing and registering the Cisco VSM 7 web Additional notices ............15 components..............6 Trademarks ..............15 Configuring the VMS server, cameras, and channels ...............8 Troubleshooting issues with the Cisco sample application and test tools ..........10 © Copyright IBM Corp. 2015 iii iv IBM Intelligent Video Analytics: VMS extension for Cisco VSM 7 Installation and integration enablement guide Integrating IBM Intelligent Video Analytics with Cisco VSM 7 IBM® Intelligent Video Analytics (IBM IVA) version V1.6 can be integrated with Cisco Video Surveillance Manager (VSM) version 7. The IBM IVA V1.6 VMS extension package for Cisco VSM 7.5 (IVA-Cisco-VSM7_Integration.zip) and the downloadable prerequisite open source files provide a complete set of instructions and media for installing and configuring the integration.
    [Show full text]
  • What Are Kernel-Mode Rootkits?
    www.it-ebooks.info Hacking Exposed™ Malware & Rootkits Reviews “Accessible but not dumbed-down, this latest addition to the Hacking Exposed series is a stellar example of why this series remains one of the best-selling security franchises out there. System administrators and Average Joe computer users alike need to come to grips with the sophistication and stealth of modern malware, and this book calmly and clearly explains the threat.” —Brian Krebs, Reporter for The Washington Post and author of the Security Fix Blog “A harrowing guide to where the bad guys hide, and how you can find them.” —Dan Kaminsky, Director of Penetration Testing, IOActive, Inc. “The authors tackle malware, a deep and diverse issue in computer security, with common terms and relevant examples. Malware is a cold deadly tool in hacking; the authors address it openly, showing its capabilities with direct technical insight. The result is a good read that moves quickly, filling in the gaps even for the knowledgeable reader.” —Christopher Jordan, VP, Threat Intelligence, McAfee; Principal Investigator to DHS Botnet Research “Remember the end-of-semester review sessions where the instructor would go over everything from the whole term in just enough detail so you would understand all the key points, but also leave you with enough references to dig deeper where you wanted? Hacking Exposed Malware & Rootkits resembles this! A top-notch reference for novices and security professionals alike, this book provides just enough detail to explain the topics being presented, but not too much to dissuade those new to security.” —LTC Ron Dodge, U.S.
    [Show full text]
  • Captain Hook: Pirating AVS to Bypass Exploit Mitigations WHO?
    Captain Hook: Pirating AVS to Bypass Exploit Mitigations WHO? Udi Yavo . CTO and Co-Founder, enSilo . Former CTO, Rafael Cyber Security Division . Researcher . Author on BreakingMalware Tomer Bitton . VP Research and Co-Founder, enSilo . Low Level Researcher, Rafael Advanced Defense Systems . Malware Researcher . Author on BreakingMalware AGENDA . Hooking In a Nutshell . Scope of Research . Inline Hooking – Under the hood - 32-bit function hooking - 64-bit function hooking . Hooking Engine Injection Techniques . The 6 Security Issues of Hooking . Demo – Bypassing exploit mitigations . 3rd Party Hooking Engines . Affected Products . Research Tools . Summary HOOKING IN A NUTSHELL . Hooking is used to intercept function calls in order to alter or augment their behavior . Used in most endpoint security products: • Anti-Exploitation – EMET, Palo-Alto Traps, … • Anti-Virus – Almost all of them • Personal Firewalls – Comodo, Zone-Alarm,… • … . Also used in non-security products for various purposes: • Application Performance Monitoring (APM) • Application Virtualization (Microsoft App-V) . Used in Malware: • Man-In-The-Browser (MITB) SCOPE OF RESEARCH . Our research encompassed about a dozen security products . Focused on user-mode inline hooks – The most common hooking method in real-life products . Hooks are commonly set by an injected DLL. We’ll refer to this DLL as the “Hooking Engine” . Kernel-To-User DLL injection techniques • Used by most vendors to inject their hooking engine • Complex and leads security issues Inline Hooking INLINE HOOKING – 32-BIT FUNCTION HOOKING Straight forward most of the time: Patch the Disassemble Allocate Copy Prolog Prolog with a Prolog Code Stub Instructions JMP INLINE HOOKING – 32-BIT FUNCTION HOOKING InternetConnectW before the hook is set: InternetConnectW After the hook is set: INLINE HOOKING – 32-BIT FUNCTION HOOKING The hooking function (0x178940) The Copied Instructions Original Function Code INLINE HOOKING – 32-BIT FUNCTION HOOKING .
    [Show full text]
  • Vbscript Basics Page 1 of 52 [email protected]
    Chapter 03 Scripting Quicktest Professional Page 1 VBS CRIPT – THE BASICS ............................................................................................................ 2 WHAT IS A VARIABLE ?........................................................................................................... 3 VARIABLES NAMING RESTRICTIONS ..................................................................................... 3 HOW DO I CREATE A VARIABLE ?.......................................................................................... 3 DECLARATION STATEMENTS AND HIGHILIGTS ..................................................................... 3 Dim Statement .................................................................................................................... 3 Overriding Standard Variable Naming Conventions.......................................................... 4 Declaring Variables Explicit and Implicit .......................................................................... 4 Option Explicit Statement................................................................................................... 5 WORKING WITH ARRAYS ........................................................................................................... 5 SCALAR VARIABLES AND ARRAY VARIABLES ...................................................................... 6 CREATING ARRAYS ................................................................................................................ 6 Fixed Length Arrays..........................................................................................................
    [Show full text]
  • HP Remote Graphics Software User Guide 5.4.5 © Copyright 2011 Hewlett-Packard Development Company, L.P
    HP Remote Graphics Software User Guide 5.4.5 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. The HP Remote Graphics Sender for Windows uses Microsoft Detours Professional 2.0. Detours is Copyright 1995-2004, Microsoft Corporation. Portions of the Detours package may be covered by patents owned by Microsoft corporation. Microsoft, Windows, Windows XP, Windows Vista and Windows 7 are registered trademarks or trademarks of Microsoft Corporation in the U.S. and other countries. Intel is a registered trademark of Intel Corporation or its subsidiaries in the U.S. and other countries. Part number: 601971–002 Second edition: January 2011 Acknowledgments HP Remote Graphics Software was developed using several third party products including, but not limited to: OpenSSL: This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes software written by Tim Hudson ([email protected]). This product includes cryptographic software written by Eric Young ([email protected]) Jack Audio Connection Kit (JACK): JACK is a low-latency audio server, written for POSIX conformant operating systems such as GNU/Linux and Apple's OS X. JACK is released in source code format under the GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999.
    [Show full text]